directory-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Karasulu <>
Subject Re: [jira] Created: (DIRSERVER-1383) There is a confusion between Anonymous access and Access to rootDSE
Date Tue, 21 Jul 2009 14:44:08 GMT
Just some history.  When we went from using JNDI interfaces in the core to
using our own well defined interfaces many things were a mess including this
area.  At one point I revamped this area of the code cleaning up a lot of
the configuration which was still trying to use Properties a la the old JNDI
I remember paying close attention to allow search operations to occur
without a previous bind on the RootDSE regardless of whether or not
anonymous binds were enabled or not.  This was done specifically to allow
for client's to discover the various ways they could bind to the directory
by reading the RootDSE's contents.

I've always thought the RootDSE was something that should be world readable
but I may be wrong now with better clarification in the latest RFC revamp.
 Plus life has been hard and I cannot say I've been on top of these matters
as I should.

It might be best to consolidate the behavior of anonymous access to the
server into a single configuration parameter which is an enumerated type
with the following values.  Let's call it anonymousAccess:

   o ANY - anonymous access to ANY entry is allowed
   o ROOTDSE - anonymous access is only allowed on the RootDSE
   o NONE - anonymous access is NOT allowed on any entry

All these modes are still subject to any ACI restrictions that may
additionally be configured by administrators.  This parameter only governs
at a high level which operations the network protocol layer will allow to
occur on entries.  Of course the lower layers also need to adhere to this
policy if for example calls are made directly to the core interfaces via
embedded server configurations where the API is used.


On Tue, Jul 21, 2009 at 4:24 AM, Emmanuel Lecharny <>wrote:

> Stefan Zoerner wrote:
>> Quanah Gibson-Mount wrote:
>>> --On Monday, July 20, 2009 9:50 PM -0400 Alex Karasulu <
>>>> wrote:
>>>  Ahhh okie you're right on.  My bad.
>>> This is quite correct.  There are even some (stupid) security programs
>>> that will say being able to read the rootDSE is a vulnerability.  OTOH, I've
>>> always left it read to the world, most clients prefer it. :P
>> There are also tests within the Open Group LDAP certification suite which
>> check whether the Root DSE is readable anonymously. But it is OK, if we are
>> able to configure a server to behave like that for a test run. No need to
>> make that the default.
> Stefan, all what we need is a way to send a SearchRequest targetting the
> RootDSE without a previous Bindrequest. Not sure that JNDI alllows such
> operation.
> As soon as we can read rootDSE without being bound, then we are golden, as
> the way we protect the rest of the entries is different.
> Also, the RFC states that the rootDSE *may* be protected, which does not
> mean it should be. And I think, as Quanah, that it does not make a lot of
> sense to protect it, unless you want to get numerous mails on the users
> mailing list about the unavailable rootDSE ;)
> Thanks Stefan !
> --
> --
> cordialement, regards,
> Emmanuel L├ęcharny

Alex Karasulu
My Blog ::
Apache Directory Server ::
Apache MINA ::

View raw message